- id: cluster-ops-001 fact: "kubeconfig at /paperclip/.kube/config uses stale flea-flicker token; must use in-cluster SA token via curl to kubernetes.default.svc" source: "direct investigation 2026-04-05" confidence: confirmed created: "2026-04-05" - id: cluster-ops-002 fact: "CTO agent RBAC: read/write to groombook-dev and groombook-uat; read-only cluster-wide. Cannot annotate Flux resources in groombook namespace." source: "403 Forbidden when trying to PATCH kustomization in groombook namespace, 2026-04-05" confidence: confirmed created: "2026-04-05" - id: cluster-ops-003 fact: "Flux groombook-uat kustomization: interval 1h, no retryInterval. In groombook namespace watching GitRepository groombook on main branch." source: "kubectl API query 2026-04-05" confidence: confirmed created: "2026-04-05" - id: cluster-ops-004 fact: "kubeseal public cert available via API proxy: /api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem" source: "successful fetch 2026-04-05" confidence: confirmed created: "2026-04-05" - id: cluster-ops-005 fact: "Completed Kubernetes Jobs with immutable spec.template block Flux reconciliation dry-run. Must delete stale Jobs before Flux can re-apply." source: "GRO-468 investigation 2026-04-05, migrate-schema-ff216ea and seed-test-data-ff216ea" confidence: confirmed created: "2026-04-05"